TRUSTe’s Cookie Consent solution has been helping global companies comply with the EU Cookie Directive and continues to evolve into the most robust platform that is completed by TRUSTe’s privacy brand. TRUSTe’s Cookie Consent integrates with leading Tag Management Systems (TMS) in order to help companies comply with the “zero-cookie” load requirement, specifically under CNIL’s …

Earlier this year, TRUSTe launched TRUSTed Interests: a new product that allows consumers to express their interests and to share them with the advertising ecosystem participants. In order to make this data available to interested parties, TRUSTe just released a PUSH API and this short blog post provides a few details around this API. TRUSTe …

TRUSTe takes pride in providing high quality customer service through our dedicated account management team, while providing flexibility to our global clients through a self-service portal. Our self-service portal launched in 2011 to provide our clients the ability to pull their own reports, and later, the ability generate their own TRUSTed Ad tags for AdChoices …

Mobile application privacy management is now more important than ever—at least half of Fortune 500 companies have internal mobile applications. But managing mobile application privacy risk goes beyond the applications on your employees’ devices. As companies’ presence, products, and services increasingly shift into the mobile space, mobile privacy is drawing increasing attention—both internally and from the Federal Trade Commission. In particular, the healthcare industry had the highest privacy payout in 2014, and the FTC and FDA’s additional scrutiny into wellness and health services should increase management’s focus on improving mobile application development tools and processes.

Product managers in different business units in different companies often develop mobile applications within a single global organization. Adding to this complexity, companies often leverage outsourced mobile developers, putting mobile applications still another step away from the oversight of the privacy officer.

According to Forrester Mobile Study 2015, “Companies had no idea they were gathering the data because they used third-party advertising libraries that were capturing the data without the original developers having any knowledge of the activity.” If developers are not aware of third parties and their activities, privacy officers are left in the dark on transparency and data minimization. The privacy and enforcement risks are real—the FTC fined the Path social networking service $800,000 for collecting users’ data without their consent.

Insecure transmission of data also poses a risk to both users’ privacy and corporate reputations. The FTC has ordered that Fandango and Credit Karma undergo security assessments every other year for the next 20 years because of their insecure transmission of data. The privacy officer to prevent possible public backlash in the event of a user perceived privacy violation should review other mobile application designs and implementations. For example, privacy officers should analyze whether an application contains an overly broad set of requested permissions, which may indicate high privacy risk or be considered suspicious activity.

To manage data privacy risk, privacy officers must have a handle on the data that’s collected, the security of data transfer, and all third parties accessing the mobile application across all their companies’ mobile applications. Privacy officers can leverage in-house technology or hire a vendor to provide the information to which the privacy officer can map against in-house guidelines and regulations to determine if there is a privacy risk. Depending on how many applications a company have and how often the company updates the mobile application, this could drain a lot of resources. To efficiently manage privacy risk of mobile applications across the company, a privacy officer needs:

Condensed, relevant and actionable data to assess privacy risk. The report should either be a standalone privacy report or a comprehensive separate section within a security report.

An automated or partially automated tool to generate the information

Sufficient resources internally or outsourced to analyze the findings and flag any privacy risks.

TRUSTe Mobile App Assessments

The time is right to streamline the discovery of any privacy risks within your company’s mobile applications. TRUSTe mobile assessments help you analyze applications by gathering information within network traffic, system API calls, log activities, and application source code to find the data flows, security safeguards, and third-party data access within the application. These comprehensive scanning tools produce an accurate, detailed, and actionable mobile risk assessment report.

TRUSTe Standard Mobile Assessments provide the privacy officer with all the information necessary to analyze the privacy risk of a mobile application. The discovery report lists:

Third-party domains, frameworks, and SDKs attached with company metadata and the Privacy Sensitivity Score from the proprietary TRUSTe Vendor Database

The data collected

Which third party is collecting data and/or what data the third party is collecting

What data is stored on the device

Any insecure transmissions (those that are unencrypted or that use misconfigured encryption)

The permissions an app is requesting

With this information, a privacy officer can easily analyze whether internal enterprise or consumer applications are following regulatory or internal guidelines and whether application behavior is consistent with the app’s purpose.

In addition, TRUSTe offers a mobile assessment premium service that provides manual technical analysis to generate an even more detailed report. This identifies any areas in the mobile application that pose privacy risks and provide intelligent remediation recommendations. TRUSTe can also compare the mobile app findings against applicable regulations to highlight any noncompliance risks.

To help privacy officers manage mobile application data privacy globally, TRUSTe is expanding its mobile offerings to include privacy risk scanning and assessment solutions. To learn more about these new TRUSTe scanning offerings, contact hhuang@truste.com.

TRUSTe’s Cookie Consent solution has been helping global companies comply with the EU Cookie Directive and continues to evolve into the most robust platform that is completed by TRUSTe’s privacy brand.

TRUSTe’s Cookie Consent integrates with leading Tag Management Systems (TMS) in order to help companies comply with the “zero-cookie” load requirement, specifically under CNIL’s laws. The “zero-cookie” requires that no trackers, outside of the exceptions, are dropped until user has consented. TRUSTe has a preferred partnership w/ Signal and already developed an integration with Google TMS. (You may have also seen us in Tealium’s portal.)

TRUSTe has a Cookie Consent API that provides Tag Management Systems the ability to digest the user-level of consent in order to respect the user’s preferences.

The newest addition to TRUSTe’s TMS system family is Adobe DTM (Dynamic Tag Manager). TRUSTe has been working closely with the Adobe DTM team to ensure clients that use Adobe DTM is able to seamlessly leverage TRUSTe Cookie Consent in their system.

The Cookie Consent integrates with Adobe DTM in a three step process:

The first process is just to add the Cookie Consent script, like you would any other Third Party Tag in DTM.

The second step is to apply a special Tag which will reload the page when a user has changed their preference, thereby loading any newly allowed Tags/Rules.

The third step is applying a Condition to any Rule you wish covered by the Cookie Consent.

Adobe DTM is able to leverage the Cookie Name and Cookie Value to communicate the user-level consent back to the TMS for compliance.

TRUSTe has a flexible Cookie Consent API that is ready to integrate with any TMS system to enable an easy tag integration. If you have a TMS partner you would like to integrate with TRUSTe Cookie Consent, please email us for next steps! CNIL just did cookie sweep. If you’re not yet prepared for the next one, please email us now @ hhuang@truste.com.

TRUSTe’s Cookie Consent Manager assists clients in complying with the EU Cookie Directive laws in EU countries. TRUSTe is proud to offer both Managed Services and Self-Service options to our clients. TRUSTe’s Managed Services team helps set-up, brand, and generate a customized Cookie Consent Manager from start to finish. A dedicated Account Manager acts as global deployment project manager to help get a proper Notice, Consent, and Control mechanism up and running. Having a dedicated Account manager is nice but TRUSTe also offers a robust Self-Service Portal to manage and update your Cookie Consent Manager.

Below is the Dashboard of TRUSTe portal:

You will have access to the following applications that contain every tool you need to set-up a proper Cookie Consent Manager.

TRUSTe’s in-house proprietary crawler scans thousands of pages identifying and classifying trackers to provide the recommended categorization of cookies into Required, Functional, and Advertising automatically making it easier to maintain an accurate, up-to-date Cookie Consent Manager.

Consent Manager CMS: Customize the verbiage and HTML/CSS of the Cookie Consent Notice mechanism. Whether it’s a simple logo change or adding an additional link to the Notice frame, TRUSTe allows full flexibility on customizing the look & feel of the Cookie Consent Manager so that it flows seamlessly with your website.

TRUSTe’s Cookie Consent Manager can be set-up as a banner, button/text, or an express pop-in to comply from the lowest to strictest level of consent in the EU countries. Cookie Consent Manager is only one of the many integrated solutions to efficiently manage global privacy regulations from one single platform. Discover, Assess, Monitor global compliance regulations and projects from one single platform with integrated technology compliance solutions at your fingertips.

Earlier this year, TRUSTe launched TRUSTed Interests: a new product that allows consumers to express their interests and to share them with the advertising ecosystem participants. In order to make this data available to interested parties, TRUSTe just released a PUSH API and this short blog post provides a few details around this API.

TRUSTe wanted to build an interface flexible enough for TRUSTe to build its own application, be friendly and simple for its partners. This translates into being explorable via web browser and using web standards.

The first steps was to identify what function to expose. Since security and privacy are TRUSTe’s main modus vivendi, TRUSTe decided to expose only the GET method (read only) and always to use SSL. Another advantage of always using SSL is that guaranteed encrypted communications simplifies authentication efforts – you can get away with simple access tokens instead of having to sign each API request.

TRUSTe’s roadmap includes a full REST APIs to TRUSTe partners. It will let partners access their data, filter it, sort it and paginate through the results. The resultant data set will be JSON objects.

For version 1 available today, the service will push data securely (via SSL) to partners to a location of their choice as often as necessary: every hour, 2hours, days etc …The data set will include both opt out and preferences data, if applicable.

Each partner will give TRUSTe the location where they want the data to be transferred:

TRUSTe takes pride in providing high quality customer service through our dedicated account management team, while providing flexibility to our global clients through a self-service portal. Our self-service portal launched in 2011 to provide our clients the ability to pull their own reports, and later, the ability generate their own TRUSTed Ad tags for AdChoices implementations.

TRUSTed Ads can be implemented in any ad serving system and can also be integrated with the platform through an API to make it seamless for your ad operations team. TRUSTe has integrations with major platforms including AppNexus to make experiences as easy as a checkbox. Having a self-service portal at hand allows clients to make changes on the fly whether it is to update the logo, privacy policy link, or verbiage of the in-ad interstitial.

For global clients, the feature to generate localized tags in EU languages is seen as a tremendous benefit. To enhance global language support, TRUSTe tags have dynamic browser language detection to ensure the appropriate translation displays depending on user browser settings. Without the self-service portal, clients can already easily move icons to various corners and modify the cid to report back on granular campaign data.

TRUSTe tags are battle tested being able to dynamically detect rich media expandables, flash creatives (w/ or w/o wmode), and SSL environments and respond accordingly. TRUSTe also has SmartTags to let you use ONE tag across all creatives. We proactively create SmartTags with major ad serving systems, including Doubleclick, Microsoft Atlas, MediaMind and many more, either through finding the ad size parameters in the ad tag OR simply digesting ad size macros in our tag. TRUSTe’s tag was built on the notions of flexibility and simplicity because TRUSTe knows trafficking is already a lot of work and a complementary privacy system should bake into existing processes.

Self-Service is not just a reality for our TRUSTed Ads products. Across all our services, we play a balance between being your personal privacy advocate as policy and regulations change globally and giving you control over technical compliance tools. TRUSTe knows that privacy management done well involves both pushing the envelope in new technology along with expert skilled services. TRUSTe is the leading global Data Privacy Management (DPM) company and powers trust in the data economy by enabling businesses to safely collect and use customer data across web, mobile, cloud and advertising channels.

Agile methodologies offer the benefits of sustainable, lightweight, and predictable development culture, allowing the work to be refined by the on-going, quickly turnaround execution format. The real outcome can be more predictable and as a result, the stakeholders gain the flexibility and dynamic understanding of, based on what was built, how to deliver most value to the markets that often act like moving targets. You can easily find many such definitions of Agile practices with a simple web search.

Yet in a broader sense, the culture of agility can help to evolve an organization that may keep the momentum of more traditional, sequential development styles. Often the focus of the development can be on over-documentation, redundancy in phases or stage gates. A valid question is that “Why does such momentum persist?” In contrast, often when Agile is alluded to, it can be confused or erroneously interchanged with notions of lack of documentation or with disorganization. Productivity can be questioned when the iterations fail to deliver the flexibility and predictability as promised. Instead, the cycles demonstrate less progress than ideal or the changes are more about fixing blemishes due to poor expectation setting in the beginning. In such cases, both practices have been poorly articulated; more importantly, not been considered in light of the organization’s culture and the changing climate of market nature.

Especially when facing emerging market trends, product development is highly impacted by unknown. Clarifying those unknowns can be extremely costly which further aggravates the business projections. For example, the shift to mobile from existing “Internet of things” exponentially creates long-tail and countless issues as is visible by all metrics. One only has to look at the tremendous explosion of mobile apps, ecosystems, and mobile devices evident in so many case studies. The need to handle, analyze, and make decisions based on so much growth means that development cycles of months is quickly becoming obsolete.

Communicating to the business stakeholders with manageable expectations in such fluctuated climate requires that product owner and developers have solid foundations. This can mean technology stacks influenced by dynamic development – tier abstraction, concurrent development, and reduced heavy weight technology dependencies. It can also mean product requirements established with clear state – tangible objectives, measurable results, and incremental ambition. There is no prescriptive formula or complete checklist to follow. In fact, this is at the heart of what Agile should truly strive to influence the “brain power” of the whole rather than on one or two individuals.

At its heart, Agile is about self-organization, real ownership of problem solving, yet integration to a larger, perpetually improving team. Supporting a business’ success can only be done by product owner and developers building the credibility of delivering solutions together. The credibility must be rooted in the synergy of product design and a technology platform, and stack that can adjust and respond dynamically. Transforming can’t be magically master-planned but rather must be brought to life by coaxing each member of the organization to develop a self-governance culture. This matter requires its own investigation as each organization is uniquely formed by mixed individuals. How has TRUSTe been evangelising itself? Look for Part II for further discussion.

TRUSTe has recently extended its Website Monitoring capability by introducing process flow scanning. This web browser add-on (currently in beta) provides for customized site scanning and analytics by providing the ability to scan any part of a site in any sequence as often as needed. This allows for seamless site navigation and reporting into a central portal with all the rich analytics necessary for complete and accurate discovery of tracking on specific flows on a website.

How it worksNavigate to where you need to scan > start your scan > navigate the process > end your scan > view results in your account at my.truste.com instantly.

It is that simple.

Use casesSome examples of customer specified use cases we have seen include:

1. Making purchases after logging into an account: What trackers drop when different products are purchased

2. Creating a specific persona for purpose of tracking analytics

3. Closing an account and taking the corresponding survey: what trackers drop? – is the survey really anonymous?

4. Shopping cart drop-off: marketing needs to verify what cookies drop when order is not completed?

5. Cookie consent testing: Testing what cookies drop when cookie preferences are set on the site for EU cookie directive compliance?

6. Reporting on tracking behind a VPN

These are just samples of the use cases TRUSTe can and has scanned into for customers. Every business will have a different use case that can be fulfilled using this technology.

Problems doing this manuallyManual methods of looking for trackers, such as using a consumer tracker plug-in or tools like Firebug are cumbersome, time consuming and don’t provide all the required information needed to make informed decisions about site tracking. For example, by having to copy and paste each line item from a tool like Firebug into a spreadsheet takes time, and then one would still need to identify which entity belongs to each domain, how that entity got to the website, what are their privacy practices etc – all this insight is not available from plug-ins and similar tools. Just ask the TRUSTe Ops team about this painful process – their experiences led to this new browser add-on being developed.

Trying to derive this type of data using consumer plug-ins simply does not give the enterprise control over the specific site processes they may need scanned and analyzed.

AvailabilityThis is not a consumer privacy tool. The technology was developed specifically for an enterprise to get a better understanding of the data flows across specific areas on its site. This technology is currently only available to TRUSTe Website Monitoring customers.

Comprehensive web tracking analyticsWith this addition to our Website Monitoring Service, TRUSTe now provides analytics across an entire site, or just a specified portion of that site.

But enough talk on tracking, did you know that our monitoring service has been extended to identify and report on personal information collection. Keep a look out for my next post on how TRUSTe website tracking technology has transcended being solely a tool for tracker detection and has evolved into a full-featured privacy management tool that detects all data collection (tracking as well as personal information), providing the insight needed to understand comprehensive data collection across web properties. Our privacy pros use it today as part of their privacy assessments and certifications. Our customers are able to do so too.

January 1, 2014 is almost here. By that date in order to comply with the newly revised CalOPPA law companies must disclose in their privacy policies how they handle do not track (DNT) signals set in a user’s browser.

TRUSTe’s website monitoring service provides a wealth of website tracking analytics and has been extended to provide Do Not Track site analytics.

For example, a sample DNT scan of a car rental website shows an overall reduction in third party tracking as compared to when DNT was not set – 32% fewer third parties resulting in a 38% reduction in third party cookies.

DNT Setting

Number of third parties

Number of cookies

DNT:1

43

66

DNT:0

63

106

Although there is not yet an industry standard for DNT, companies can still start evaluating how their third party vendors are responding to browser DNT signals.

The recent changes to the COPPA (Children’s Online Privacy Protection Act) rule put out by the FTC, attempts in part to address the confusion on who is really responsible for COPPA compliance, given that most digital properties are comprised of content or ads served by third parties.According to the amended rule the onus is on the operator to comply.Operators in this case, are companies that offer online services directed towards children or directly collect personal information from children. Operators are typically first parties that include brands or publishers, but to complicate that statement further the COPPA changes state:

“…the definition of a website or online service directed to children is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service.”

This means third parties are indeed responsible, provided that they have “actual knowledge”. There are two cases where third parties can obtain this knowledge. One way is for the publisher to directly communicate the nature of their online service to all its partners and vendors. Another way is for a representative from the third party to deem the site and/or app child directed after observing messaging, images and other artifacts that would appeal to just children. In the mobile gaming world, there can be some blurred lines with the second method.

A developed flagging system to signal third parties would be much more scalable for the industry, rather than manually scanning sites and apps to discover if they’re child directed. There are a few technologies already in place to enable first parties to communicate to third parties of whom their content and advertisements are being served to. One mechanism of getting this knowledge isn’t any different than how they’re getting information to serve targeted ads and content to consumers via a JavaScript ad tag.

This comes from the Open RTB Specification, which is a protocol for communicating between the players of the ad ecosystem – SSPs, DSPs, ad networks, ad exchanges and data platforms. In the spec is a user object, which contains information about the end user of a device or desktop that can be passed over to a third party content provider, or advertiser and the like. It helps them determine what should be displayed in relation to the end user. By passing another piece of information, for example a COPPA flag (i.e. COPPA=Y in the buyerID field) stating that the embedding site is compliant to the rule, third parties can choose more appropriate content making a better experience for young audiences. Using existing ad tags to receive this signal also creates efficient bidding in the exchange due to more accurate targeting.

In the case of mobile apps, understanding the end user of a device can be more challenging. We live in a digital age, where children are more tapped into technology then ever before and devices are ubiquitous in day-to-day life. Children may not own their own smartphones or tablets, but the vast majority of apps and media are targeted for young users’ consumption. A friend told me that her son (who confessed that he loved the iPad more than his father) downloaded a seemingly harmless game. She noticed that inappropriate ad images were being displayed so she immediately removed it from her device. Something the app developer could do is pass the COPPA signal via an existing SDK, i.e. an SSP SDK. This mechanism is specific to native mobile apps and also already used for online behavioral advertising practices. At the time the app is initiated, it could transmit a signal to the third parties in the ad exchange.

Another avenue that app developers can take to ensure they’re COPPA compliance is communicated is in the form of app monitoring and assessment. These types of services audit the activity of the app including any data collection and transmission to third parties, as well as external calls made by the app. This type of assessment can ensure compliance of self-regulatory governance such as COPPA and CalOPPA and create an insightful report, which can be used as a tool to communicate to all partnering companies who may collect and pass data from children using the app. Each time an update is made to the app, the monitoring service can run a report and alert first parties to communicate to partners of COPPA compliance to send appropriate content and ads.

SDK work flow

Technology exists today for both the web and more importantly on mobile devices where children are the most vulnerable. TRUSTe, the leader in global Data Privacy Management solutions, creates these technologies to allow for innovation and progress to continue and for self-regulatory mandates to be met by the industry for the consumer. The TRUSTed Ads solution for display, mobile web and mobile app ads provides the mechanisms needed for involved parties in OBA to communicate end user opt-out preferences. The preference reading JavaScript tag and SDK used to communicate consumer choice in online behavioral advertising can easily retrieve COPPA signals and propagate them to the industry.

TRUSTe also brings TRUSTed apps to the mobile industry, offering services that analyze app data collection practices, third party sharing for contractual provisions and data governance policies. An enterprise version of this service additionally evaluates security and malware scanning of the app. Raising the COPPA flag doesn’t require any heavy engineering or additional load to your site and/or app. TRUSTe can provide the technology solutions to make it happen today. It simply makes for a better, safer environment for all kids.

This is the response from a typical website operator when TRUSTe recommends an audit of all third party tracking on their site. How surprised they are to discover third parties on their site to which they were not aware. When this happens, and it happens often, the customer typically goes through reaction cycle:

First: Denial – “You made a mistake. We definitely do not deal with companies.”

Second: Prove it. Even though TRUSTe identifies the vendors responsible for allowing these additional third parties onto the site, customers often refuse to believe it. In one instance a customer went so far as to remove the identified vendor tag from the site and have TRUSTe rescan. Lo and behold, the unknown third parties were no longer present.

Third: Appreciation – “Wow this is great. We had no idea there there were other third parties on our site.”

So how do third parties get on a site?

I categorize third parties into two categories: “vendors” and “fourth parties.”

Vendors are those third parties your site calls directly, i.e. you have placed that third party tag directly into its HTML code.

Fourth parties are those third parties that may piggy-back off of a vendor tag to get to your site. As you are not calling them directly you may not be aware of their presence on your site.

Managing fourth parties

Are fourth parties “bad”? Not necessarily – in fact if you are relying on ad supported revenue then you should expect additional parties to be present in the ad chain, e.g., SSPs, DSPs, data providers, etc.

Do you need to know what fourth parties are present? Absolutely!

Step 1: Find out what vendors and fourth party tags are on your site.

Step 2: Effectively monitor and manage these third party tags. Many companies opt for a tag management solution to help streamline third party tag management. Simply put, tag management involves replacing all third party tags on your site with one central tag container. All other third parties tags are then wrapped into this central tag container allowing a site operator to manage all tags in one central place. Tag management allows you to easily manage and remove a tags from your site.

Step 3: Ongoing site monitoring and tag management.

A tag management system alone, is not the silver bullet we would all hope it would be:

Tag managers can only manage the tags that they are allowed to see. They will not see any new tags added to your site outside of the central tag container – and let’s face it people are fallible. Even though internal policy might dictate that all tags must be added through the tag management system – mistakes happen.

There are limitations around managing and blocking redirects to fourth parties.

There is no insight given into client side behavior, e.g., what cookies, pixels or flash cookies are being set.

There is often no insight into who these parties are and what they do.

For this reason, TRUSTe’s Website Tracker Monitoring Service forms an important part of the tag management ecosystem. We Provide a comprehensive discovery of all vendor and fourth party tracking on your website and monitor your website on an ongoing basis for new parties and trackers.

Providing detailed information and privacy risk analysis on all fourth parties enabling customers to make informed decisions. TRUSTe’s database of over 17000 tracking domains is integrated into our reporting and is available as a standalone data set. We know who these third parties are, what they do, their privacy practices and provide you with this information together with their overall privacy risk to your site and site users.

Providing detailed analysis of client side behavior e.g., what cookies, flash cookies, web storage, pixel tags and scripts are being dropped and by whom.

Continued monitoring and detection of unmanaged tags and fourth parties,

Verifying that the tag management system is operating as intended and only allowing authorized vendors onto the site.